S3C2 Summit 2023-02: Industry Secure Supply Chain Summit

TL;DR

The paper summarizes a 2023 industry summit where practitioners shared experiences and challenges in securing software supply chains, emphasizing collaboration and practical insights into SBOMs, dependencies, and vulnerabilities.

Contribution

It provides a detailed summary of industry discussions on software supply chain security challenges and collaborative approaches from a diverse set of practitioners.

Findings

Shared practical challenges in securing supply chains

Highlighted importance of SBOMs and dependency management

Emphasized need for industry collaboration

Abstract

Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing fatal damage to businesses and organizations. Past well-known examples of software supply chain attacks are the SolarWinds or log4j incidents that have affected thousands of customers and businesses. The US government and industry are equally interested in enhancing software supply chain security. On February 22, 2023, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 17 practitioners from 15 companies. The goal of the Summit is to enable sharing between industry practitioners having practical experiences and challenges with software supply chain security and helping to form new collaborations. We conducted six-panel discussions based upon open-ended questions regarding software bill of materials (SBOMs), malicious commits, choosing new dependencies, build and deploy,the Executive Order 14028, and vulnerable dependencies. The open discussions enabled mutual sharing and shed light on common challenges that industry practitioners with practical experience face when securing their software supply chain. In this paper, we provide a summary of the Summit. Full panel questions can be found in the appendix.